agent-zero

vrr/agent-zero

Fork 0

mirror of https://github.com/agent0ai/agent-zero.git synced 2026-05-17 04:01:13 +00:00

Commit graph

Author	SHA1	Message	Date
Alessandro	1f2d512226	fix(api): resolve image_get containment bypass (#1609 ) Fixes agent0ai/agent-zero#1609. Issue: "Unauthenticated Path-Containment Bypass in Agent Zero `/api/image_get`" https://github.com/agent0ai/agent-zero/issues/1609 Resolve the path-containment bypass in /api/image_get by resolving requested images against the Agent Zero base directory before serving them, including symlink-aware validation and the development RFC fallback path. Harden SVG and SVGZ responses with nosniff and a sandboxed CSP so uploaded SVGs cannot execute scripts in the Agent Zero origin. Add focused regressions for outside paths, symlink escapes, SVG headers, and development-mode remote validation.	2026-05-12 04:15:10 +02:00

Author

SHA1

Message

Date

Alessandro

1f2d512226

fix(api): resolve image_get containment bypass (#1609 )

Fixes agent0ai/agent-zero#1609.

Issue: "Unauthenticated Path-Containment Bypass in Agent Zero `/api/image_get`"
https://github.com/agent0ai/agent-zero/issues/1609

Resolve the path-containment bypass in /api/image_get by resolving requested images against the Agent Zero base directory before serving them, including symlink-aware validation and the development RFC fallback path.

Harden SVG and SVGZ responses with nosniff and a sandboxed CSP so uploaded SVGs cannot execute scripts in the Agent Zero origin. Add focused regressions for outside paths, symlink escapes, SVG headers, and development-mode remote validation.

2026-05-12 04:15:10 +02:00

1 commit